Analysis
-
max time kernel
300s -
max time network
190s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
03-10-2023 04:47
Static task
static1
Behavioral task
behavioral1
Sample
1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe
Resource
win10-20230915-en
General
-
Target
1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe
-
Size
228KB
-
MD5
390a1fd3c5b6cbcf3bc003e9bf7af94e
-
SHA1
3bc7ef3fc326816436acecdc72cdfc7eb8526c60
-
SHA256
1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42
-
SHA512
7d3d6244de300a316ce098321ed2669b9d6a6fcb5791bd197c29b077376657bdaf92e2530e8ca0329333c6572dd8a4b589500f8950f54ef04f6bd237101a9e15
-
SSDEEP
3072:UQ+15yaha3TnpsR4o1eChmPvPP/iMOUZ5gIF25/Q+:vFB3Tnp44o1ehn39Obi25
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3104 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2728 giufgcs -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI giufgcs Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI giufgcs Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI giufgcs Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4864 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe 4864 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found 3104 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3104 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4864 1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe 2728 giufgcs -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3104 Process not Found Token: SeCreatePagefilePrivilege 3104 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe"C:\Users\Admin\AppData\Local\Temp\1debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4864
-
C:\Users\Admin\AppData\Roaming\giufgcsC:\Users\Admin\AppData\Roaming\giufgcs1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2728
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228KB
MD5390a1fd3c5b6cbcf3bc003e9bf7af94e
SHA13bc7ef3fc326816436acecdc72cdfc7eb8526c60
SHA2561debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42
SHA5127d3d6244de300a316ce098321ed2669b9d6a6fcb5791bd197c29b077376657bdaf92e2530e8ca0329333c6572dd8a4b589500f8950f54ef04f6bd237101a9e15
-
Filesize
228KB
MD5390a1fd3c5b6cbcf3bc003e9bf7af94e
SHA13bc7ef3fc326816436acecdc72cdfc7eb8526c60
SHA2561debc00b0df8f07fcad2e269ecbede7928ee1b8aa9fed1c568420e80536b1e42
SHA5127d3d6244de300a316ce098321ed2669b9d6a6fcb5791bd197c29b077376657bdaf92e2530e8ca0329333c6572dd8a4b589500f8950f54ef04f6bd237101a9e15